Dropbox hack confirmed real, 68 million accounts affected

Dropbox hack of 68 million user account credentials has been confirmed by security researcher Troy Hunt and Motherboard. Company advising a swift change in passwords.

The data leak occurred in 2012, what does this mean for discovery times?
The data leak occurred in 2012, what does this mean for discovery times?

Cloud storage company Dropbox has sent an email advising its users to update their passwords following leak of 68 million customer details.

The hack which occurred back in 2012 prompted a press release from the company which said that the passwords were stolen through an employee's account whose password was stolen. This allowed the hacker to obtain a “project document with user email addresses”.

These details have now reappeared and were discovered by Dropbox's Patrick Heim, its head of trust and security, who said that he came across them, after the “old set” of user credentials stolen in 2012 were made available.

Despite the company originally saying no user accounts were compromised, four 5GB files containing 68,680,741 accounts were recently uploaded to breach notification website Leakbase.

Vice-owned tech blog Motherboard independently verified the breach using an unnamed company which is claiming the data is real. Motherboard has highlighted that the passwords secured with bcrypt are unlikely to be revealed due to its strong capabilities.

Patrick Heim, head of trust and security at Dropbox told SCMagazineUK.com in a statement that: “This is not a new security incident, and there is no indication that Dropbox user accounts have been improperly accessed. Our analysis confirms that the credentials are user email addresses with hashed and salted passwords that were obtained prior to mid-2012. We can confirm that the scope of the password reset we completed last week did protect all impacted users. Even if these passwords are cracked, the password reset means they can't be used to access Dropbox accounts. The reset only affects users who signed up for Dropbox prior to mid-2012 and hadn't changed their password since.”

Heim continues: “While Dropbox accounts are protected, affected users who may have reused their password on other sites should take steps to protect themselves on those sites. The best way to do this is by updating these passwords, making them strong and unique, and enabling two-step verification. Individuals who received a notification from Dropbox should also be alert to spam or phishing.”

Australian security security researcher Troy Hunt has also seen the data, and is also saying they were hacked four years ago.

Hunt wrote in a blog post that, "What we've got here is two files with email address and bcrypt hashes then another two with email addresses and SHA1 hashes."

"There is no doubt whatsoever that the data breach contains legitimate Dropbox passwords, you simply can't fabricate this sort of thing," Hunt continued.

As with most big hacks this year, users are being advised to use strong passwords, not to re-use them on different services and if possible to use a password manager, even though it has been shown that passwords managers have flaws too.

Dropbox has already said those who haven't changed their passwords since the 2012 hack should update them as soon as possible, adding they'll be prompted to update their password the next time they sign in.

David Emm, principal security researcher at Kaspersky Lab told SC: “In today's digital world, breaches are becoming an unfortunate common occurrence. In fact, the news of the Dropbox security breach is reminiscent of the recent Tumblr hack in that the leak, or the scale of it, wasn't apparent for some time. Customers who entrust their private information to an online provider should be able to rest safely in the knowledge that it is kept in a secure manner, and all companies that handle private data have a duty to secure it properly.”

Emm continues: “However, it's also important for consumers to understand that security can't be taken for granted, as you never know when your details could be at risk, as demonstrated by this breach. In this way, we would advise consumers to use complex passwords, supported by a password manager, as well as multi-factor authentication to guard against threat. Organisations should prepare on the basis that hackers will get in, it's therefore positive that we're starting to see a shift from organisations using defensive strategies, towards being better prepared. For example, Dropbox hashed and salted passwords, and immediately gave advice to consumers, recommending that they change their passwords as a precaution. We know that many people use the same password across multiple online accounts, so it's important that those affected take steps to change their password for other online accounts where they have used the same password.”

David Mount, director, security solutions consulting EMEA, Micro Focus told SC: “The danger for businesses is posed by users who signed up for Dropbox for work purposes using their work credentials because in that event, these credentials are now available on the open market. Organisations practising good password hygiene should be safe because users will have been forced to change their passwords since then, but not every business will have these sorts of processes in place. This means that some organisations will now be at risk as these compromised credentials could be used to access their systems.

“To help guard against this threat, it's good practice for all businesses to monitor for anomalous activity to make sure it's appropriate – enforcing the principle of least privilege. This is key to controlling how users are accessing data, especially for any accounts with privileged access.”